b'September 25, 2000\nAudit Report No. 00-043\n\n\nAudit of DIRM\xe2\x80\x99s Actions to Ensure\nQuality Products\n\x0cFederal Deposit Insurance Corporation                                                          Office of Audits\nWashington, D.C. 20434                                                             Office of Inspector General\n\n\n\n   DATE:         September 25, 2000\n\n   TO:          Donald C. Demitros, Director,\n                Division of Information Resources Management and Chief Information Officer\n\n\n   FROM:         David H. Loewenstein\n                 Assistant Inspector General\n\n   SUBJECT: Audit of DIRM\xe2\x80\x99s Actions to Ensure Quality Products\n           (Audit Report No.00-043)\n\n   The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General has completed an\n   audit of the FDIC\xe2\x80\x99s activities to ensure quality information systems. The overall objective of this\n   audit was to determine the effectiveness of the Division of Information Resources Management\'s\n   (DIRM) quality assurance (QA) activities related to the development and implementation of\n   information and financial systems. While prior audits addressing systems development efforts have\n   generally been comprehensive reviews related to the management of a specific project, this audit\n   focused on overall DIRM activities to ensure quality deliverables and identified several\n   opportunities for improvement.\n\n\n   BACKGROUND\n\n   The purpose of quality assurance (QA) in the systems development arena is to ensure the delivery\n   of quality systems that meet users\xe2\x80\x99 needs in a timely and cost-effective manner. Prior to 1998, a\n   small group within DIRM\xe2\x80\x99s Management Review Section administered a QA program. This group\n   has since been abolished and the associated DIRM circular on QA rescinded. According to DIRM\n   officials, these actions were based on a decision to eliminate a centralized QA function and increase\n   the responsibility and accountability of DIRM Project Managers and line managers for delivering\n   quality systems.\n\n   The need for effective QA has been illustrated by prior systems development projects that were\n   often delayed or not fully successful. DIRM\xe2\x80\x99s reliance on contractor support for systems\n   development efforts and today\xe2\x80\x99s more complex information technology (IT) infrastructures increase\n   the challenges associated with developing effective systems that meet user needs and are delivered\n   in a timely manner. During 2000, DIRM plans to spend as much as 59 percent of its personnel-\n   related expenditures for outside contractors. The use of contractor personnel can impact quality\n   because of: (1) the lessening of FDIC\'s control over the process, (2) increased risk of personnel\n   turnover during the project, and (3) the fact that contractor personnel are less familiar with the\n   FDIC\xe2\x80\x99s practices and business activities. Further, today\xe2\x80\x99s systems development activities are taking\n\x0cplace in an environment of increasingly more complex and rapidly changing technology. The IT\ninfrastructures used in today\xe2\x80\x99s distributed systems require that systems developers successfully\ninterface a variety of computer environments and software technologies.\nA strong QA program supports project managers and line managers in ensuring effective\ncoordination among the various DIRM organizational components needed to support today\xe2\x80\x99s\ndevelopment projects.\n\nQA related to information systems development includes two key components: (1) verification that\nwork products are complete and comply with systems development policies and procedures and (2)\nvalidation by the client that the work products reflect their needs. A QA program consisting of\nthese components addresses the quality of the planned system and the development process being\nused to create it. Verification determines the degree of clarity, traceability, internal consistency, and\ncompleteness for each of the products developed during the life cycle phases. An important aspect\nof verification is determining the degree of compliance with system development life cycle (SDLC)\ndocumentation standards. FDIC\'s standards are published in the FDIC SDLC Manual, a\ncomprehensive set of instructions that describe required processes and documentation for each of\nthe development phases. Validation determines whether each of the products captures the client\xe2\x80\x99s\nexpectations. Although the most common form of validation is system testing near project\ncompletion, effective validation addresses the completeness and accuracy of work products\nthroughout the development process. Validation is typically performed by client personnel, i.e.,\nrepresentatives of those who will be using the system. However, it may also be performed\nindependently, often by contractors. Independent validation would normally be performed only in\nparticularly large-scale, critical projects.\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine the effectiveness of DIRM\xe2\x80\x99s QA practices regarding\nsystems development projects. We did not attempt to determine the overall degree of success of\nindividual projects. Accordingly, the scope of this audit did not include project planning and\nadministration, but instead focused only on the quality assurance activities related to the developed\nwork products. The work products addressed in this audit were those produced in four of the eight\nphases of the SDLC. These are the requirements definition, external design, internal design, and test\nphases. These associated work products are developed during these phases as described below.\n\n\xe2\x80\xa2   Requirements Definition Phase - In this phase, user needs are analyzed and user requirements\n    are formally defined. These requirements include system functionality, data requirements,\n    system performance, security, and maintainability.\n\n\xe2\x80\xa2   External Design Phase - In this phase, the external physical characteristics of the application\n    system are designed, including the operating environment, user controls such as menus and\n    graphical interfaces, and system outputs such as screens and reports.\n\n\xe2\x80\xa2   Internal Design Phase - In this phase, a detailed structure of the system is designed, the system\n    is partitioned into one or more modules, and detailed logic specifications are prepared for each\n                                                   2\n\x0c    module. An initial Conversion Plan is developed that documents the strategy for converting\n    from an existing system to the new system.\n\n\xe2\x80\xa2   Test Phase - In this phase, DIRM and system clients perform tests. DIRM performs tests of\n    the individual system components, followed by DIRM and the client together testing the system\n    as a whole.\n\nTo accomplish the audit objective, we reviewed seven ongoing or recently completed projects and\nthree completed projects that we had previously audited. Regarding the latter, we limited our\nreview to the audit reports and related working papers. For the ongoing or recently completed\nprojects, we reviewed documentation and interviewed key project personnel. In evaluating the\nthoroughness of test phase activities, we selected samples of detailed systems\xe2\x80\x99 requirements and\ntraced them to associated test scenarios. The three completed systems selected for our review were\nthe General Examination System (GENESYS 1.0), Time and Attendance Processing System\n(TAPS), and Electronic Travel Voucher Processing System (ETVPS). We selected the other seven\nprojects for review based on suggestions from DIRM officials, the need to cover a diversity of\nclient organizations, and the need to ensure adequate audit coverage for each of the development\nphases. The current or recent projects reviewed were the (1) Assessments Information\nManagement System (AIMS II), (2) Electronic Procurement Request and Invoicing System\n(EPRIS), (3) General Examination System (GENESYS 2.0), (4) National Asset Information\nSystem (NAIS), (5) Statistical CAMELS Offsite Rating System (SCOR), (6) Structure\nInformation Management System (SIMS), and (7) System of Uniform Reporting of Compliance\nand CRA Exams (SOURCE). We do not refer specifically to these projects by name in the text of\nthis report; however, we shared our observations on each project with the respective Project\nManagers.\n\nThis audit included system development activities occurring over approximately 3 years beginning\nin 1997. We conducted the audit between February and May 2000 in accordance with generally\naccepted government auditing standards.\n\n\nRESULTS OF AUDIT\n\nEffective QA for system development projects helps to ensure consistent quality and timeliness of\nproject deliverables. Without an effective, comprehensive QA process, project success is overly\ndependent on the knowledge, experience, and capabilities of the DIRM Project Manager. We\nidentified opportunities for DIRM to improve overall QA effectiveness by formalizing certain\nprocesses related to verification of contractor work products and ensuring compliance with SDLC\nrequirements. These opportunities are based, in part, on best practices of DIRM Project Managers\nthat were identified during the audit.\n\nOur review of DIRM\'s verification of contractors\xe2\x80\x99 work products noted inconsistencies in the extent\nof review performed by the responsible Project Managers. As a result, the accuracy and\ncompleteness of the work products varied. However, we noted one ongoing project for which the\n\n                                                3\n\x0cProject Manager placed particular emphasis on reviews of contractor-provided work products. We\nbelieve that this focus contributed to the high quality of deliverables for this project and the rapid\nprogress toward project completion.\n\nThe emphasis given to verification can affect the degree of compliance with the FDIC\'s SDLC\ndocumentation standards. We noted that the degree of compliance varied by individual SDLC\nphases and those project phases with the better levels of compliance were the Requirements\nDefinition and Test Phases. Substantial improvement is needed for compliance in the External\nand Internal Design phases. The needed improvements include a more adequate description of the\nproposed technical architecture and enhanced guidance regarding when and how the External\nDesign Document and the Internal Design Document can be combined. We also noted a number of\nother departures from the SDLC standards relating to missing documentation, links between the\nTest Plan and the Functional Requirements Document, and missing elements in the Internal Design\nDocument.\n\nIn prior audits of two of the earlier development projects, we had noted insufficient validation of\nrequirements by the project team. However, for all current projects reviewed, the project teams\nwere consistently validating users\' requirements. This change was due, in part, to the teams more\nconsistently following a practice of developing requirements on an incremental basis and iteratively\nreviewing portions with client personnel. In addition to such validation efforts performed by the\nproject team and client personnel, specific situations can dictate the need for independent\nvalidation. Sometimes it is prudent to use an independent validation process where the\ndevelopment effort will support a large or varied user population. Another indicator of the need for\nindependent validation is whether there has been a long duration required for the development\neffort during which time there has been a significant turnover of client representatives and/or major\nchanges to the client\'s business practices. For the current projects reviewed, we did not identify any\nprojects meeting such criteria and thereby pointing to the need for independent validation.\n\n\n\nCONSISTENT VERIFICATION OF CONTRACTORS\' WORK PRODUCTS NEEDED\n\nDIRM Project Managers and staff were not consistent in the level of verification they applied to\ncontractor work products. Verification is the review process to ensure that development work\nproducts are clear, traceable to other documents, consistent, and complete. For one project, the\nDIRM project team did not effectively communicate with contractor staff to ensure that user\nrequirements were completely defined and all design issues were resolved. For another project, the\nDIRM project team did not verify the contractor\xe2\x80\x99s work products before forwarding them to the\nclient. Instead, the contractor followed a practice of releasing portions of deliverables\nsimultaneously to the DIRM project team and the client. The contractor also communicated\nindependently with the client staff. In order for the DIRM Project Manager to exercise full\nresponsibility for ensuring thorough verification of contractor work products, this individual should\nbe involved in all communications between contractor development personnel and the client.\n\n\n\n                                                  4\n\x0cBecause DIRM extensively uses contractor-supplied resources for systems design and development\nwork, the need for work product verification by DIRM project personnel is increased. The FDIC\nAcquisition Policy Manual directs that DIRM, as the organization responsible for project\nmanagement, should review all work products received from contractors. Such review is best\nperformed before forwarding deliverables or portions thereof to the client\norganization for additional review, because DIRM\'s focus is on verifying overall completeness and\nquality while the client\'s focus is on validating whether the proposed system will meet its\nneeds. Also, DIRM participation in all communications between the client and the contractors will\nincrease DIRM\xe2\x80\x99s ability to effectively verify resulting documentation.\n\nWe found that DIRM verification contributed to the overall progress of projects toward completion.\nFor example, for one of the current projects, DIRM verification was particularly emphasized. As a\nresult, this project was on schedule and progressing toward completion. This project also had a\nlarge contingent of DIRM employees to perform the verification function. Conversely, we noted\nthat for a project where DIRM had not devoted as much effort to verification steps, there were\ndelays in progress towards completion. This project was also not as fully staffed with DIRM\nemployees insofar that it had only one DIRM employee, the Project Manager, assigned. Also, for\nthis project, the role of verification was shared with the client organization, resulting in a lessening\nof control by the DIRM project team. This, in turn partially contributed to the "requirements creep"\nexperienced. That is, the requirements definition phase was prolonged, and major delays in\nprogress toward project completion occurred as a result. The delays caused the requirements\ndefinition and the design phases to extend for a greater time period than was originally intended for\nthe entire project.\n\n\nVERIFICATION THAT WORK PRODUCTS ADHERE TO SYSTEM DEVELOPMENT\nLIFE CYCLE STANDARDS NEEDS IMPROVEMENT\n\nAn important element of verification involves ensuring adherence to SDLC documentation\nstandards. Our review found that the quality of project documentation supporting development\nprojects could be improved. We noted that certain required components of documentation were\neither absent, incomplete, or not developed in the proper chronological sequence. For the\nFunctional Requirements Document, greater detail was needed in describing the proposed business\nprocess to be automated, and traceability matrices were not always developed. For the External\nDesign Document, greater detail was needed in descriptions of the proposed technical architecture\nand more guidance could clarify when and how the External Design Document and the Internal\nDesign Document could be combined. A number of other significant, but less frequent departures\nfrom the SDLC standards were also noted.\n\nThe FDIC\'s SDLC Manual establishes documentation standards, the purpose of which are to\nprovide guidance to ensure the delivery of quality systems that meet user needs in a timely and cost-\neffective manner. As stated in its introduction, "The FDIC SDLC Manual is a tool that lends\nconsistency to the process, products, and terminology which should be used to develop or maintain\nFDIC systems. It ensures sound communication and mutual understanding of SDLC processes\nbetween DIRM and the user."\n                                                   5\n\x0cEffective QA in the form of verification of compliance with established procedures can enhance a\nproject\'s success. Such oversight is critical due to the pressures to deliver products to clients and,\ntherefore, occasional tendencies to shortcut the SDLC process. Non-compliance with\nestablished procedures can also occur when requirements are misinterpreted. Enhanced\nspecificity and increased use of illustrative examples could serve to reduce such misunderstandings.\n\n\nRequirements Definition Phase\n\nWe identified six development projects that we believe would have benefited from improved\ndocumentation during the Requirements Definition Phase. Two development projects would have\nbenefited from an improved Functional Requirements Documents (FRD). The assurance of\nsuccess for two other development projects would have been increased if the project team had\ndeveloped a traceability matrix, a tool that connects the FRD to a related test plan. Finally, the\nproject teams for two earlier projects initiated design and development work before FRDs were\ncompleted and approved, the consequences of which have been presented in the related audit\nreports. For the current projects, we cannot presently comment on the effects of cited\ndocumentation shortcomings because additional time would be required for such effects to present\nthemselves. Discussion of needed documentation improvements follows.\n\n\xe2\x80\xa2   Improved Functional Requirements Document: For one of the projects reviewed, an\n    improved FRD would have benefited the project by more clearly describing the proposed\n    methods for addressing the client\xe2\x80\x99s business process requirements. The lack of clarity\n    contributed to the resulting FRD not addressing all existing business processes or how they\n    would be improved by the new system. For another project, the FRD did not describe a major\n    business process to be supported by the planned system. As a result, the development team was\n    forced to re-analyze the process after the departure of a contract employee who had acquired,\n    but not documented, the business process to be supported.\n\n\xe2\x80\xa2   Traceability Matrix: In addition to a Functional Requirements Document, the SDLC Manual\n    requires the development of a system test plan during the Requirements Definition Phase,\n    including a traceability matrix linking requirements to the individual test scripts prepared later\n    in the project. Test plans for two of the projects reviewed did not include a traceability matrix,\n    reducing assurance that all functional requirements were addressed and adequately tested.\n\n\xe2\x80\xa2   Complete, Approved Functional Requirements Document: For two previously audited\n    development projects, the project team proceeded with design and development work prior to\n    the completion and approval of an FRD. For one of these projects, the project team revised\n    certain requirements after design and development had commenced. Project personnel\n    determined that the changes in requirements would require re-performing as much as        90\n    percent of design and development work that had been completed.\n\n\n\n\n                                                   6\n\x0c    In our audit of another previous development project, we were informed that the delays in\n    completing and approving the FRD were intentional inasmuch that the project team was\n    employing the concept of evolutionary prototyping. DIRM agreed with our audit\n    recommendation to evaluate and clarify when evolutionary prototyping can be used to reduce\n    development schedules. We did not identify any current projects where development\n    preceded the completion of the FRD. However, DIRM has not yet issued its clarifying\n    guidance.\n\n\nExternal Design Phase\n\nWe identified five projects that would have benefited from improved documentation during the\nExternal Design Phase. For one project, the External Design Document lacked several important\ncomponents required by the SDLC Manual. In three other projects, including one of the projects\nreceiving a prior audit, the descriptions of the proposed technical architecture were not sufficiently\ndetailed to properly facilitate reviews for feasibility and suitability. For another project,\ncomponents for the External Design Document and the Internal Design Document were\ninappropriately combined, thereby prolonging the period required for the client to review and\napprove the system design. Discussion of possible improvements during the external design phase\nfollows.\n\n\xe2\x80\xa2   Missing Required Components: The External Design Document for one project did not\n    include all critical components required by the SDLC Manual, including the user interface\n    screen designs and the output report layouts. These were later included in the Internal Design\n    Document. However, the SDLC Manual requires end-user oriented components such as these\n    to be included in the External Design Document which is prepared earlier in the project before\n    other detailed design and development work commences. Also for this project, the traceability\n    matrix in the External Design Document referenced only a few of the requirements earlier\n    defined in the Functional Requirements Document. A complete traceability matrix is essential\n    in providing support for the External Design Document review and approval process.\n\n\xe2\x80\xa2   Technical Architecture Descriptions: For three projects, including one of the projects\n    previously audited, the proposed technical architecture was not fully described. The need for\n    complete and accurate architecture documentation is critical in today\xe2\x80\x99s complex and rapidly\n    changing technical environment. Today\xe2\x80\x99s systems are increasingly based on distributed\n    technology that makes use of a variety of software technologies that must be successfully\n    interfaced with one another. The feasibility and suitability of the technical architecture to be\n    employed for a given project has to be carefully considered and reviewed by a variety of\n    technical specialists. This is particularly critical because planned configurations often contain\n    features or software that have not yet been applied to other projects. The costs of making\n    changes to the technical architecture at a later stage of system development can be substantial\n    because of the need to re-perform work.\n\n\xe2\x80\xa2   Combined External and Internal Design Documents: For six of the current projects\n                                                   7\n\x0c    reviewed, the components required for an External Design Document were combined with\n    those for the Internal Design Document and a single, Technical Design Document was\n    produced. With the exception of one project, this practice did not appear to be detrimental to\n    effective project management because the other projects were relatively limited in scope or did\n    not require an overly lengthy period for design and development. However, for one of the\n    larger scale projects reviewed, combining documents contributed to a 20-month period for the\n    client to review and formally approve all needed functionality. By first providing the\n    client with a separate External Design Document, a document which contains most of the\n    information the client needs to review and approve, this time period may have been reduced.\n    For one of the projects using the combined document approach, two virtually identical\n    documents were issued, one designated as an External Design Document and the other as an\n    Internal Design Document. Further, neither document was signed off by client representatives\n    until completion of the development phase. These signoffs should have been obtained prior to\n    commencing work on the development phase. The Project Manager could not provide a clear\n    reason for the redundancy or the timing of document approval.\n    Postponement of signoffs by the client increases the risk that system programming will proceed\n    incorrectly leading to later re-work and additional costs.\n\n\xe2\x80\xa2   Guidelines for Combining Documents: As stated previously, we did not always find it to be\n    detrimental to effective project management to combine the External Design and Internal\n    Design phases for those projects which were relatively limited in scope or did not require an\n    overly lengthy period for design and development. Additionally, it is our opinion that this\n    methodology can be successful when a proposed system can be broken down into clearly\n    defined, independent functional modules. In such cases, internal design work can go forward\n    on some modules while external design work is still in progress in other modules. In some\n    cases, this practice can even be extended into the development phase. Because these\n    distinctions are not addressed in the SDLC Manual, what is needed are guidelines for use by\n    project management in deciding if and how a project may proceed with overlapping SDLC\n    phases.\n\n\nInternal Design Phase\n\nWe noted needed Internal Design documentation improvements for only one project. However, the\nneeded improvement was significant, i.e., an important component was missing from the Internal\nDesign Document. Specifically, the Internal Design Document should have contained detailed\ndescriptions of the internal logic to be employed, either graphically or in pseudo code using\npreviously defined data elements. Such information is intended to provide the final bridge between\nrequirements analysis and actual computer programming in describing the logic necessary to\ncorrectly write source code for all design units in the system. The absence of internal logic\ndescriptions increases the likelihood that program bugs will reside in the completed system.\n\n\n\n\n                                                 8\n\x0cRECOMMENDATIONS\n\nWe recommend that Director, DIRM, and Chief Information Officer:\n\n(1) Issue guidance to Project Managers describing their responsibility to ensure quality work from\n    contractors. Such guidance should stress the importance of the DIRM project team verifying\n    the completeness, accuracy, and consistency of deliverables or portions thereof prior to\n    forwarding them for validation by the client. Included should be a requirement to ensure that\n    contractor-provided development personnel do not communicate directly with\n    clients without the knowledge of the Project Manager.\n\n(2) Clarify the SDLC Manual or issue supplemental instructions regarding distinctions between the\n    documents produced for the External Design Phase and the Internal Design Phase, when\n    documents produced for these phases can be combined, and how the IT infrastructure and\n    related issues should be described.\n\n(3) Clarify the SDLC Manual or issue supplemental instructions regarding the circumstances in\n    which it would be permissible (a) for design and development work to proceed pending\n    approval of the Functional Requirements Document and, once the Functional Requirements\n    Document has been approved, (b) for the project team to commence work on the development\n    phase without having completed the design phase.\n\n\n\nOTHER ISSUES\n\nWe did not identify any recent or current development efforts that required independent validation\nefforts. However audits of earlier development projects illustrated the need for independent\nvalidation efforts when certain conditions are present. Specifically, development efforts intended to\nsupport a large or varied user population and development efforts of a long duration that may result\nin a turnover of client representatives are examples of instances that may require independent\nvalidation efforts. Because of the benefits that may sometimes accrue from independent validation,\nwe suggest that DIRM develop guidelines for its Project Managers describing when to consider\nindependent validation of user requirements across the various development phases.\n\nAs discussed earlier in this report, DIRM had eliminated its centralized QA function based on a\ndecision to increase the responsibility and accountability of project managers and line managers for\ndelivering quality systems. However, during the course of this audit, DIRM management has\ndecided to further support the role of project and line management in producing quality products by\nimplementing a new configuration and quality management function. This is to be embodied in a\nnew Configuration and Quality Management group. This action came to our attention in conducting\nthe Audit of Configuration Management (report no. 00-038) and we will be performing additional\naudit work pertaining to QA in the context of this new organization.\n\n\n\n                                                 9\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nOn September 14, 2000, the Director, DIRM, provided a written response to the draft report that\nconcurred with the recommendations. These comments are included as appendix I. The\nCorporation\'s response to the draft report provides the elements necessary for management\ndecisions on the report\'s recommendations. Appendix II presents management\'s proposed action on\nour recommendations and shows that there is a management decision for each recommendation in\nthis report.\n\n\n\n\n                                              10\n\x0c                                                                                   APPENDIX I\nFederal Deposit Insurance Corporation\n3501 North Fairfax Dr., Arlington, VA 22226                           Division of Information Resources Management\n\n\n\n                                               September 14, 2000\n\n\nTO:                    David H. Loewenstein\n                       Assistant Inspector General\n\n\n\nFROM:                  Donald C. Demitros, Director\n\nSUBJECT:               DIRM Management Response to the Draft OIG Report Entitled, "Audit of DIRM\xe2\x80\x99s\n                       Actions to Ensure Quality Products\xe2\x80\x9d\n\n\n\nThe Division of Information Resources Management (DIRM) has reviewed the subject draft audit\nreport and generally agrees with the findings and recommendations.\n\nThe OIG\'s recommendation along with DIRM\'s response is provided below:\n\nOIG Recommendation:\n\n           We recommend that Director, DIRM, and Chief Information Officer:\n\n           (1) Issue guidance to Project Managers describing their responsibility to ensure quality\n               work from contractors. Such guidance should stress the importance of the DIRM\n               project team verifying the completeness, accuracy, and consistency of deliverables or\n               portions thereof prior to forwarding them for validation by the client. Included should\n               be a requirement to ensure that contractor-provided development personnel do not\n               communicate directly with clients without the knowledge of the Project Manager.\n\n           (2) Clarify the SDLC Manual or issue supplemental instructions regarding distinctions\n               between the documents produced for the External Design Phase and the Internal Design\n               Phase, when documents produced for these phases can be combined, how the IT\n               infrastructure and related issues should be described.\n\n           (3) Clarify the SDLC Manual or issue supplemental instructions regarding the\n               circumstances in which it would be permissible (a) for design and development work to\n               proceed pending approval of the Functional Requirements Document and, once when\n               the Functional Requirements Document has been approved, (b) for the project team to\n               commence work on the development phase without having completed the design phase.\n\n\n                                                      11\n\x0cDIRM Response:\n\n     DIRM concurs with the recommendations and will prepare and issue supplemental\n     guidance in accordance with the recommendations. The guidance will address the\n     following:\n\n     (1) Description of the responsibilities of Project Managers to ensure quality work from\n         contractors, stressing the importance of the DIRM project team verifying the\n         completeness, accuracy, and consistency of deliverables prior to forwarding them for\n         validation, and including a requirement that contractor-provided development personnel\n         do not communicate directly with clients without the knowledge of the Project\n         Manager.\n\n     (2) Clarifying the distinctions between the documents produced for the External design\n         Phase and the Internal Design Phase, when documents produced for these phases can be\n         combined, and how the IT infrastructure and related issues should be described.\n\n     (3) Clarifying circumstances in which it would be permissible (a) for design and\n         development work to proceed pending approval of the Functional Requirements\n         Document and (b) once the Functional Requirement Document has been approved, for\n         the project team to commence work on the development phase without having\n         completed the design phase.\n\n     DIRM will issue the proposed guidance by January 31, 2001.\n\n     If you have any questions, please contact Rack Campbell, DIRM\'s Audit Liaison, at\n     (703) 516-1422.\n\n\n     cc:    Vijay Deshpande, OICM\n            Wayne Gooding, DIRM\n            Martha Adams, DIRM\n            Janet Roberson, DIRM\n\n\n\n\n                                             12\n\x0c                                                                                                                 APPENDIX II\n                               MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its\nsemiannual reports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several\nconditions are necessary. First, the response must describe for each recommendation\n\n   ! the specific corrective actions already taken, if applicable;\n   ! corrective actions to be taken together with the expected completion dates for their implementation; and\n   ! documentation that will confirm completion of corrective actions.\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for\nany disagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation\nconfirming completion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The\ninformation for management decisions is based on management\xe2\x80\x99s written response to our report.\n\n\n\n\n                                                                        13\n\x0c                                                                               Documentation                     Management\n  .                                                            Expected       That Will Confirm   Monetary       Decision: Yes\nNumber    Corrective Action: Taken o Planned/Status         Completion Date     Final Action      Benefits          or No\n         DIRM will prepare and issue supplemental\n         guidance to ensure quality work from contractors\n         stressing the importance of the DIRM project\n         team verifying the deliverables prior to                                                    Not             Yes\n  1                                                            01/31/01       Directive or Memo\n         forwarding them to the client and including a                                            Quantifiable\n         requirement that contractor- provided personnel\n         do not communicate directly with clients without\n         knowledge of the Project Manager.\n         DIRM will prepare and issue supplemental\n         guidance to clarify the distinctions between the\n         documents produced for the External Design\n                                                                                                    Not\n  2      Phase and the Internal Design Phase, when             01/31/01       Directive or Memo\n                                                                                                  Quantifiable       Yes\n         documents produced for these phases can be\n         combined, and how the IT infrastructure and\n         related issues should be described.\n         DIRM will prepare and issue supplemental\n         guidance to clarify circumstances in which it                                               Not\n  3                                                            01/31/01       Directive or Memo                      Yes\n         would be permissible for concurrent work                                                 Quantifiable\n         among several phases.\n\n\n\n\n                                                                  14\n\x0c'